(((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:\-DisableBehaviorMonitoring\ $true* OR CommandLine:\-DisableRuntimeMonitoring\ $true*)) OR ((Image:\\sc.exe OR OriginalFileName:sc.exe) ((CommandLine:stop* CommandLine:WinDefend*) OR (CommandLine:delete* CommandLine:WinDefend*) OR (CommandLine:config* CommandLine:WinDefend* CommandLine:start=disabled*)))